728x90
시큐리티(인증&권한)
-정보보안팀에서 일하게됨
-시큐리티란? 권한. 소셜로그인도 인증키와 권한키를 가지고 다루는것
참고블로그
스프링 Security_로그인_기본 컨텍스트 설정 [1/9]
- Develop OS : Windows10 Ent, 64bit - WEB/WAS Server : Tomcat v9.0 - DBMS : MySQL 5.7.29 for Linux (Docker) - Language : JAVA 1.8 (JDK 1.8) - Framwork : Spring 3.1.1 Release - Build Tool : Maven 3.6..
codevang.tistory.com
1. pom.xml 4개의 라이브러리 설정 - 버전주의(maven repository에서 코어버전과 호환 확인-
https://mvnrepository.com/artifact/org.springframework.security/spring-security-core)
....이부분 4개의 라이브러리!....
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${org.security-version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${org.security-version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${org.security-version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${org.security-version}</version>
</dependency>
.....
2. web.xml 설정 -주의 ---필터설정을 해줘야함
- 한글 처리 및에 시큐리 객체 생성
- contextConfigLocation에 해당 xml 집어 넣음
일단 한글필터 복붙
<filter>
<filter-name>encoding</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter
</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encoding</filter-name>
<servlet-name>appServlet</servlet-name>
</filter-mapping>
그리고 스프링 시큐리티 필터 복붙(반.드.시 한글필터 밑에 놔야함!!!)
<!-- Spring Security Filter -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
=====================================
[security-context.xml] appServlet폴더에 생성!
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
//이부분 추가--이건 외우기!
<http>
<form-login />
</http>
<!-- provider -->
<authentication-manager>
</authentication-manager>
</beans:beans>
====================================
[web.xml]에 security-context.xml부분 추가!
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml
/WEB-INF/spring/security-context.xml
</param-value>
</context-param>
2번까지 잘따라왔으면 /login치기! 여기까지 나오면 성공
--이 페이지는 누가 만듦??
1. /login으로 누군가가 로그인 페이지를 응답해주고 있다.
2. /login으로 누군가가 처리해 주고 있다.
3. /login으로 ★누군가(스프링 시큐리티)가 낚아 채고 있음.(why? ★내가 컨트롤러에서 처리하고있지 않으므로★)★
↓참고그림
12개 정도만 알아두기
3. 인증(Authentication)과 권한(Authorization)에 대한 개념이 필요함.
인증 - 자신을 증명- 로그인에서 아이디와 비밀 번호
권한 - 남에 의한 자격부여 - admin 과 일반유저(리소스에 대한 접근 권한이 달라짐)
<스프링 시큐리티.(4개의 라이브러리) (1-5를 캡슐화 시킨것)>
1 - 인증과 권한에 대한 프레임워크
2 - 암호화(암호학x)-인코딩, 디코딩 어떻게 시키는지
3 - CSRF, XSS 개념! 방어 요령
4 - 스프링 시큐리티 - 세션(session) 객체★ ---얘네를 커스텀마이징하는게 최종목표
5 - JSP에서 스프링 시큐리티 태그 쓰는 방법
가장기본적인 셋팅(설명1)
================================================================
<http>
<form-login />
</http>
<!-- provider -->
<authentication-manager>
</authentication-manager>
================================================================
가장기본적인 셋팅(설명2)
================================================================
<http>
<intercept-url pattern="/security/all" access="permitAll" />
<intercept-url pattern="/security/member" access="hasRole('ROLE_MEMBER')" />
<form-login />
</http>
<!-- provider -->
<authentication-manager>
</authentication-manager>
================================================================
가장기본적인 셋팅(설명3)
1.스프링 5 부터 PasswordEncoder 를 사용하도록 강제하고 있음
만일 패스워드 인코딩 없이 사용 하고 싶다면 {noop}을 추가 함
================================================================
<http>
<intercept-url pattern="/security/all" access="permitAll" />
<intercept-url pattern="/security/member" access="hasRole('ROLE_MEMBER')" />
<form-login />
</http>
<!-- provider -->
<authentication-manager>
<authentication-provider>
<user-service>
<user name="member" password="{noop}member" authorities="ROLE_MEMBER" />
</user-service>
</authentication-provider>
</authentication-manager>
================================================================
가장기본적인 셋팅(설명4)
================================================================
<http>
<intercept-url pattern="/security/all" access="permitAll" />
<intercept-url pattern="/security/member" access="hasRole('ROLE_MEMBER')" />
<intercept-url pattern="/security/admin" access="hasRole('ROLE_ADMIN')" />
<form-login />
</http>
<!-- provider -->
<authentication-manager>
<authentication-provider>
<user-service>
<user name="member" password="{noop}member" authorities="ROLE_MEMBER" />
<user name="admin" password="{noop}admin" authorities="ROLE_MEMBER,ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
================================================================
가장기본적인 셋팅(설명5)- 에러페이지 추가
================================================================
<http>
<intercept-url pattern="/security/all" access="permitAll" />
<intercept-url pattern="/security/member" access="hasRole('ROLE_MEMBER')" />
<intercept-url pattern="/security/admin" access="hasRole('ROLE_ADMIN')" />
<form-login />
<!-- 403 에러 처리 -->
<access-denied-handler error-page="/security/accessError"/>
</http>
<!-- provider -->
<authentication-manager>
<authentication-provider>
<user-service>
<user name="member" password="{noop}member" authorities="ROLE_MEMBER" />
<user name="admin" password="{noop}admin" authorities="ROLE_MEMBER,ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
================================================================
가장기본적인 셋팅(설명6)-로그인 페이지 커스텀 화
================================================================
<http>
<intercept-url pattern="/security/all" access="permitAll" />
<intercept-url pattern="/security/member" access="hasRole('ROLE_MEMBER')" />
<intercept-url pattern="/security/admin" access="hasRole('ROLE_ADMIN')" />
<form-login />
<!-- 403 에러 처리 -->
<access-denied-handler error-page="/security/accessError"/>
</http>
<!-- provider -->
<authentication-manager>
<authentication-provider>
<user-service>
<user name="member" password="{noop}member" authorities="ROLE_MEMBER" />
<user name="admin" password="{noop}admin" authorities="ROLE_MEMBER,ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
================================================================
spring security는 세션-쿠키방식으로 인증한다.
여기서는 전통적인 쿠키-세션 방식을 사용한다. (JWT이런거는 spring-security-oauth2를..)
1.유저가 로그인을 시도 (http request)
2.AuthenticationFilter 에서부터 위와같이 user DB까지 타고 들어감
3.DB에 있는 유저라면 UserDetails 로 꺼내서 유저의 session 생성
4.spring security의 인메모리 세션저장소인 SecurityContextHolder 에 저장
6.유저에게 session ID와 함께 응답을 내려줌
6.이후 요청에서는 요청쿠키에서 JSESSIONID를 까봐서 검증 후 유효하면 Authentication를 쥐어준다.
스프링시큐리티 폴더 생성!!! 알집파일有 더보기↓
더보기
스프링 시큐리티 폴더 새로 생성!
spring_security5.zip
0.02MB
[pom.xml] 파일 복붙
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>edu.bit</groupId>
<artifactId>board</artifactId>
<name>spring_board_5</name>
<packaging>war</packaging>
<version>1.0.0-BUILD-SNAPSHOT</version>
<properties>
<java-version>1.8</java-version>
<org.springframework-version>5.0.7.RELEASE</org.springframework-version>
<org.aspectj-version>1.6.10</org.aspectj-version>
<org.slf4j-version>1.6.6</org.slf4j-version>
<org.security-version>5.0.6.RELEASE</org.security-version>
</properties>
<repositories>
<repository>
<id>oracle</id>
<url>http://www.datanucleus.org/downloads/maven2/</url>
</repository>
</repositories>
<dependencies>
<!-- 오라클 JDBC 드라이버 -->
<dependency>
<groupId>oracle</groupId>
<artifactId>ojdbc6</artifactId>
<version>11.2.0.3</version>
</dependency>
<!-- Spring -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${org.springframework-version}</version>
<exclusions>
<!-- Exclude Commons Logging in favor of SLF4j -->
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${org.springframework-version}</version>
</dependency>
<!-- AspectJ -->
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjrt</artifactId>
<version>${org.aspectj-version}</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.aspectj/aspectjweaver -->
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>${org.aspectj-version}</version>
</dependency>
<!-- Logging -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${org.slf4j-version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>${org.slf4j-version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>${org.slf4j-version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.15</version>
<exclusions>
<exclusion>
<groupId>javax.mail</groupId>
<artifactId>mail</artifactId>
</exclusion>
<exclusion>
<groupId>javax.jms</groupId>
<artifactId>jms</artifactId>
</exclusion>
<exclusion>
<groupId>com.sun.jdmk</groupId>
<artifactId>jmxtools</artifactId>
</exclusion>
<exclusion>
<groupId>com.sun.jmx</groupId>
<artifactId>jmxri</artifactId>
</exclusion>
</exclusions>
<!-- <scope>runtime</scope> -->
</dependency>
<!-- @Inject -->
<dependency>
<groupId>javax.inject</groupId>
<artifactId>javax.inject</artifactId>
<version>1</version>
</dependency>
<!-- Servlet -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<!-- Test -->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<version>${org.springframework-version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>${org.springframework-version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>${org.springframework-version}</version>
</dependency>
<dependency>
<groupId>com.zaxxer</groupId>
<artifactId>HikariCP</artifactId>
<version>2.7.8</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.mybatis/mybatis -->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis</artifactId>
<version>3.4.6</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.mybatis/mybatis-spring -->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis-spring</artifactId>
<version>1.3.2</version>
</dependency>
<dependency>
<groupId>org.bgee.log4jdbc-log4j2</groupId>
<artifactId>log4jdbc-log4j2-jdbc4</artifactId>
<version>1.16</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.6</version>
</dependency>
<!-- 자바객체를 xml으로 -->
<!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-xml -->
<dependency>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-xml</artifactId>
<version>2.9.6</version>
</dependency>
<!-- 자바객체를 Json으로 -->
<!-- https://mvnrepository.com/artifact/com.google.code.gson/gson -->
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>2.8.2</version>
</dependency>
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${org.security-version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${org.security-version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${org.security-version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${org.security-version}</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<artifactId>maven-eclipse-plugin</artifactId>
<version>2.9</version>
<configuration>
<additionalProjectnatures>
<projectnature>org.springframework.ide.eclipse.core.springnature</projectnature>
</additionalProjectnatures>
<additionalBuildcommands>
<buildcommand>org.springframework.ide.eclipse.core.springbuilder</buildcommand>
</additionalBuildcommands>
<downloadSources>true</downloadSources>
<downloadJavadocs>true</downloadJavadocs>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>2.5.1</version>
<configuration>
<source>1.8</source>
<target>1.8</target>
<compilerArgument>-Xlint:all</compilerArgument>
<showWarnings>true</showWarnings>
<showDeprecation>true</showDeprecation>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<version>1.2.1</version>
<configuration>
<mainClass>org.test.int1.Main</mainClass>
</configuration>
</plugin>
</plugins>
</build>
</project>스프링 5.0.7
시큐리티도 하나의 프레임워크이다.
aop-캡슐화한것. 조립한것. 시큐리티도 하나의 조립화된 것.
그래서 기능마다 따로 따로 설정이 필요하다.
오늘의 문제
1.스프링 시큐리티에 대하여 설명하시오.
스프링에서 '보안 기능'을 위해 사용하는 프레임워크이다.
권한. 소셜로그인도 인증키와 권한키를 가지고 다루는것
2.스트링시큐리티를 적용하기 위한 기본 설정 및 세팅을 설명하시오.
1. pom.xml 4개의 라이브러리 설정
....
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${org.security-version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${org.security-version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${org.security-version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${org.security-version}</version>
</dependency>
.....주의할점 : 스프링프레임워크 버전보다 시큐리티 버전이 더 낮아야한다
2. web.xml 설정 -주의 ---필터설정을 해줘야함
- 한글 처리 및에 시큐리 객체 생성
- contextConfigLocation에 해당 xml 집어 넣음
일단 한글필터 복붙
<filter>
<filter-name>encoding</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter
</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encoding</filter-name>
<servlet-name>appServlet</servlet-name>
</filter-mapping>
<!-- Spring Security Filter -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
주의할점 : 스프링 시큐리티 필터는 반드시 한글필터 밑에 붙여넣기
[security-context.xml] appServlet폴더에 생성!
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
//이부분 추가--이건 외우기!
<http>
<form-login />
</http>
<!-- provider -->
<authentication-manager>
</authentication-manager>
</beans:beans>
[web.xml]에 security-context.xml부분 추가!
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml
/WEB-INF/spring/security-context.xml
</param-value>
</context-param>
3.인증과 권한에 대하여 설명하시오.
인증 - 자신을 증명- 로그인에서 아이디와 비밀 번호
권한 - 남에 의한 자격부여 - admin 과 일반유저(리소스에 대한 접근 권한이 달라짐)
4.XSS 와 CSRF에 대하여 설명하시오.
XSS :
공격대상이 클라이언트(client)이다.
클라이언트의 쿠키,세션 정보를 빼앗아 감
XSS는 사이트변조나 백도어를 통해 클라이언트에 대한 악성공격을 한다.
- 방지 방법 : 서버에 중요정보를 저장한다, 정보를 암호화 한다
CSRF :
공격대상이 서버(server)다.
CSRF는 요청을 위조하여 사용자의 권한을 이용해 서버에 대한 악성공격을 한다.
방지방법 : Referrer 검증, Security Token 사용
728x90
'코딩 > 수업 정리' 카테고리의 다른 글
| 21.02.18 [060] Thu (0) | 2021.02.18 |
|---|---|
| 21.02.17 [059] Wed (0) | 2021.02.17 |
| 21.02.15 [057] Mon (0) | 2021.02.15 |
| 21.02.10 [056] Wed (0) | 2021.02.10 |
| 21.02.09 [055] Tue (0) | 2021.02.08 |
댓글